Brussels hopes for its cyber moment

The EU wants to rise to the level of major cyberpowers like Russia and the United States — but the odds are stacked against it.

Cyber insecurity has taken the EU by storm: In the last year, parts of the internet went dark; national health systems and banks were crippled; Ukraine’s airport was attacked; and French President Emmanuel Macron’s election campaign was hacked.

EU leaders are playing catch-up to tweak their laws and policies in response and boost a European industry capable of countering malicious hackers. But Brussels is finding it difficult to carve out a role of its own, especially when the debate turns to cyberwar, cyberweapons and the powers that states can wield to “hack back” at cybercriminals.

“Europe is not ready to make a huge step,” said Steve Purser, head of core operations at the EU cyber agency ENISA. National and European officials are sparring over how much power the EU should wield on cybersecurity — and who should wield that power.

The struggle will dominate the fall, when the Commission is expected to present a new cybersecurity strategy, boost its main cyber agency’s resources and powers, and unveil legislation to better secure devices that connect to the internet. The strategy is expected sometime around Commission President Jean-Claude Juncker’s State of the European Union speech in mid-September and will update an earlier plan. That 2013 outline dealt with challenges such as safe online banking, the emerging threat of malware and how the EU could boost awareness on cybersecurity.

“The world has changed a lot, even in the few years since 2013,” said Victoria Espinel, president of the global tech lobby group BSA | The Software Alliance.

Keeping up with the Joneses

The U.S. and Russia have intelligence agencies capable of launching covert cyberattacks. Some European countries, including the U.K. and Germany, have strong cyber units within their intelligence and security services as well as in their military.

Cybersecurity treads a thin line between national security — not an EU competence — and IT security, in which the EU has a lead role.

EU authorities “can consult, they can advise, but they can’t bring something to the table. It is important for countries to exchange information bilaterally,” said Arne Schönbohm, president of the German Federal Office of Information Security.

At the least, the Commission wants to bring clarity to how it organizes cybersecurity decisions with its new strategy.

That’s critical. The lack of competence over cybersecurity is compounded by internal competition at the Commission. Departments are fighting to take a lead role. At least six commissioners aim to outdo one another in pursuit of the limelight: Andrus Ansip (the digital vice president), Julian King (security), Dimitris Avramopoulos (home affairs), Jyrki Katainen (the vice president for investment), Elżbieta Bieńkowska (industry) and Federica Mogherini (the foreign affairs chief) have all presented important EU moves against cyberthreats. The new digital commissioner, Mariya Gabriel, beefed up her cabinet with cyber expert Carl-Christian Buhr.

“Decisions are made in many different places but people don’t necessarily have all the information,” ENISA’s Purser said. “Everybody wants to be in cybersecurity.”

Complicating things even more, at least four agencies and services in addition to ENISA play a significant role in cybersecurity policy: Europol’s European Cybercrime Centre, the European Defence Agency, the EU’s internal Cyber Emergency Response Team and the European Aviation Security Agency’s center for cybersecurity.

At the same time, “the member states and the member states’ agencies are on the front line and we’re not about stepping in and replacing them,” said King, the commissioner tasked with security issues.

Industrial policy coming

The Commission is also expected to go full steam ahead in addressing some glaring glitches in cybersecurity for consumer products.

There are more than 5 billion connected devices in the hands of consumers worldwide, according to research firm Gartner’s estimates, and that number is expected to skyrocket in coming years. Many are poorly secured and have been drawn into networks to conduct cyberattacks like the October attack by a botnet called Mirai.

It’s a problem for Europe’s manufacturers and industrial giants in countries like Germany, which have bet big on the concept of the IoT to improve their products. Promises to remotely repair cars and improve energy networks through software have Commission officials dreaming of a booming high-tech industry boosting jobs and wealth in Europe.

To safeguard that dream, the Commission is drafting legislation that would require manufacturers of internet-connected devices to respect certain security standards. The new legislation will come with a “trust label” ensuring consumers Europe’s single market is the most secure place to buy.

Beyond that, it will take time for Europe to collectively get behind a strong cybersecurity policy to counter larger challenges — to the frustration of those who want it to take on a bigger role.